4 files changed, 2 insertions, 51 deletions

diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index d3e90091..3458ff66 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -305,8 +305,7 @@ do_bind( Slapi_PBlock *pb )
     switch ( version ) {
     case LDAP_VERSION2:
         if (method == LDAP_AUTH_SIMPLE
-            && (config_get_force_sasl_external() ||
-                ((dn == NULL || *dn == '\0') && cred.bv_len == 0))
+            && (dn == NULL || *dn == '\0') && cred.bv_len == 0
             && pb->pb_conn->c_external_dn != NULL) {
             /* Treat this like a SASL EXTERNAL Bind: */
             method = LDAP_AUTH_SASL;
@@ -318,17 +317,6 @@ do_bind( Slapi_PBlock *pb )
         }
         break;
     case LDAP_VERSION3:
-        if ((method == LDAP_AUTH_SIMPLE) &&
-            config_get_force_sasl_external() &&
-            (pb->pb_conn->c_external_dn != NULL)) {
-            /* Treat this like a SASL EXTERNAL Bind: */
-            method = LDAP_AUTH_SASL;
-            saslmech = slapi_ch_strdup (LDAP_SASL_EXTERNAL);
-            /* This enables a client to establish an identity by sending
-             * a certificate in the SSL handshake, and also use LDAPv2
-             * (by sending this type of Bind request).
-             */
-        }
         break;
     default:
         LDAPDebug( LDAP_DEBUG_TRACE, "bind: unknown LDAP protocol version %d\n",
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 89a3c793..c4026ac6 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -620,11 +620,7 @@ static struct config_get_and_set {
 		(ConfigGetFunc)config_get_anon_access_switch},
 	{CONFIG_MINSSF_ATTRIBUTE, config_set_minssf,
 		NULL, 0,
-		(void**)&global_slapdFrontendConfig.minssf, CONFIG_INT, NULL},
-	{CONFIG_FORCE_SASL_EXTERNAL_ATTRIBUTE, config_set_force_sasl_external,
-		NULL, 0,
-		(void**)&global_slapdFrontendConfig.force_sasl_external, CONFIG_ON_OFF,
-		(ConfigGetFunc)config_get_force_sasl_external}
+		(void**)&global_slapdFrontendConfig.minssf, CONFIG_INT, NULL}
 #ifdef MEMPOOL_EXPERIMENTAL
 	,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch,
 		NULL, 0,
@@ -925,7 +921,6 @@ FrontendConfig_init () {
   cfg->rewrite_rfc1274 = LDAP_OFF;
   cfg->schemareplace = slapi_ch_strdup( CONFIG_SCHEMAREPLACE_STR_REPLICATION_ONLY );
   cfg->schema_ignore_trailing_spaces = SLAPD_DEFAULT_SCHEMA_IGNORE_TRAILING_SPACES;
-  cfg->force_sasl_external = LDAP_OFF; /* do not force sasl external by default - let clients abide by the LDAP standards and send us a SASL/EXTERNAL bind if that's what they want to do */
 
   cfg->pwpolicy_local = LDAP_OFF;
   cfg->pw_policy.pw_change = LDAP_ON;
@@ -5496,34 +5491,6 @@ config_set_anon_access_switch( const char *attrname, char *value,
 	return retVal;
 }
 
-int
-config_get_force_sasl_external(void)
-{
-	int retVal;
-	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-	CFG_LOCK_READ(slapdFrontendConfig);
-	retVal = slapdFrontendConfig->force_sasl_external;
-	CFG_UNLOCK_READ(slapdFrontendConfig);
-
-	return retVal;
-}
-
-int
-config_set_force_sasl_external( const char *attrname, char *value,
-		char *errorbuf, int apply )
-{
-	int retVal = LDAP_SUCCESS;
-	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-
-	retVal = config_set_onoff(attrname,
-		value,
-		&(slapdFrontendConfig->force_sasl_external),
-		errorbuf,
-		apply);
-
-	return retVal;
-}
-
 
 /*
  * This function is intended to be used from the dse code modify callback.  It
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index be3b9dde..9133958c 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -370,7 +370,6 @@ int config_set_anon_access_switch(const char *attrname, char *value, char *error
 int config_set_minssf(const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_accesslogbuffering(const char *attrname, char *value, char *errorbuf, int apply);
 int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply);
-int config_set_force_sasl_external(const char *attrname, char *value, char *errorbuf, int apply );
 
 #if !defined(_WIN32) && !defined(AIX)
 int config_set_maxdescriptors( const char *attrname, char *value, char *errorbuf, int apply );
@@ -508,7 +507,6 @@ int config_get_mempool_maxfreelist();
 long config_get_system_page_size();
 int config_get_system_page_bits();
 #endif
-int config_get_force_sasl_external();
 
 int is_abspath(const char *);
 char* rel2abspath( char * );
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 589756f1..adef7a8a 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1869,7 +1869,6 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_SSL_CHECK_HOSTNAME_ATTRIBUTE "nsslapd-ssl-check-hostname"
 #define CONFIG_HASH_FILTERS_ATTRIBUTE "nsslapd-hash-filters"
 #define CONFIG_OUTBOUND_LDAP_IO_TIMEOUT_ATTRIBUTE "nsslapd-outbound-ldap-io-timeout"
-#define CONFIG_FORCE_SASL_EXTERNAL_ATTRIBUTE "nsslapd-force-sasl-external"
 
 #ifdef MEMPOOL_EXPERIMENTAL
 #define CONFIG_MEMPOOL_SWITCH_ATTRIBUTE "nsslapd-mempool"
@@ -2085,7 +2084,6 @@ typedef struct _slapdFrontendConfig {
   long system_page_size;		/* system page size */
   int system_page_bits;			/* bit count to shift the system page size */
 #endif /* MEMPOOL_EXPERIMENTAL */
-  int force_sasl_external;      /* force SIMPLE bind to be SASL/EXTERNAL if client cert credentials were supplied */
 } slapdFrontendConfig_t;
 
 /* possible values for slapdFrontendConfig_t.schemareplace */